Axiomatic Semantics n n n Will consider axiomatic

Axiomatic Semantics n n n Will consider axiomatic semantics (A. S. ) of IMP: <stmt> : : = skip | <assign> | <if> | <while> | <stmt>; <stmt> | <input> | <output> Only integer vars; no procedures/fns; vars declared implicitly References: Kurtz (ch. 11); Pagan (ch. 4. 3) Summary: For each type of <stmt>, will define its a. s. via an axiom or rule of inference (or just rule). Using these, will be able to show (i. e. , derive) that a given program behaves according to its specification. CSE 6341, part 3 1

Preliminaries n n State: State of a program P is a function that maps the program variables of P to their values in that state. Example: <x = 1, y = 2, z = 3>; or: (x) = 1; (y) = 2; (z) = 3 (assuming P has 3 prog. var. , x, y, z) Usually have to deal with set of states: { <x = 1, y = 2, z = 1>, <x = 1, y = 2, z = 2>, <x = 1, y = 2, z = 3> } Better: Specify an assertion (or predicate, or condition) satisfied by all the states in that set and no others: [ (x = 1) (y = 2) (1 z 3) ] Important: Assertion Set of states that satisfy assertion CSE 6341, part 3 2

Assertions/sets of states n [ (x = 1) (1 y 5) (1 z 10) ] : set with 50 states n [ (x = 1) (y = 2) ] : an infinite set n [ (x = 1) (1 y 5) ] : an 'even bigger' set n [ x = y + z ] : . . . n [ x = x ]: the set of all states true n [ x x ]: the empty set false CSE 6341, part 3 3

Assertions/sets of states Convention: p P (p is an assertion; P the corresponding set of states [p q] P Q [ p ] −P (or, rather "P bar"; i. e. , U − P; U: universal set) CSE 6341, part 3 4

Assertions/sets of states (contd) " " (implication) can be thought of as a relation between two assertions: [p q] : [P Q] [p true] : [P U] [false p] : [ P] Can also think of " " as a single assertion: [p q]: ( p q ) Thus: The context will tell us whether to think of implication as a [p true]: true relation between assertions or [false p] : true a single assertion [p p ] : true (? ? ) [p p ] : false (? ? ) [(x 1) ( x = 2 )] : ? ? 5 CSE 6341, part 3

Assertions (contd. ) "x < y" is a syntactic entity when it appears in a program Elsewhere it is an assertion (satisfied by some states and not others). A state satisfies the assertion x < y if (and only if) (x) is less than (y) Notation: |= (x < y) : " satisfies (x < y)" CSE 6341, part 3 6

Key Notation The result {p} S {q} (where p, q are assertions and S is a statement) is operationally valid if: If we start execution of S in any state P, the final state ' when S finishes execution will belong to Q Examples: {x = 1} skip {x = 1} : (Operationally) valid {(x=1) (y=2) } skip {x = 1} : Valid {x = 1} skip {(x=1) (y=2) } : Invalid (op. invalid) {x = 1} skip {(x=1) (y=2) } : Valid {(x=1) (y=2) } skip {x = 1} : ? ? {(x=1) (y=2) } skip { true }: ? ? {(x=1) (y=2) } skip { false } : ? ? CSE 6341, part 3 7

"Results" (contd. ) {(x=1) (y=2) } x : = x+1 {(x=2) (y=2)} : Valid {(x=1) (y=2) } x : = x+1 { (x = y) } : Valid {(u=1) (v=2) } x : = x+1 { (v = u+1) } : ? ? {x=0} while (x < 10) do x : = x+1 end {x=10} : Valid What if the loop doesn't terminate? {x 0} while (x < 10) do x : = x+1 end {x=10}: ? ? {x 0} while (x < 10) do x : = x+1 end {x 10} : ? ? CSE 6341, part 3 8

"Results" (contd. ) { p } S { q } is a partial correctness result It is valid if it is the case that: if we start execution of S in any state P, and if the execution terminates, then the final state ' satisfies q {x = 0} while (x 10) do x : = x+1 end {x = 10} : Valid { true } while (x 10) do x : = x+1 end {x = 10} : Also valid Axiomatic semantics: provides a non-operational approach -in the form of a set of axioms and rules of inference-- using which we can 'axiomatically derive' our results CSE 6341, part 3 9

Terminology (*important*!) Assertion: may be Satisfied or Not Satisfied by a particular state Result: may be Valid or Invalid in a given (operational) model Result: may be Derivable or Not Derivable in a given axiom system Some meaningless statements: "{p} S {q} is true" (note: true is a particular assertion) "{p} S {q} is valid for some states" "(The assertion) p is not valid" CSE 6341, part 3 10

Relation Between A. S. & Model If a given result is derivable in a given axiom system A, will it be valid in an operational model M? Not necessarily. Soundness (also "consistency"): An axiom system A is sound/consistent with model M if every result derivable using the axioms/rules of A is valid in M; i. e. : |-A {p} S {q} |=M {p} S {q} Completeness: An axiom system A is complete with respect to model M if every result that is valid in M is derivable using the axioms/rules of A: |=M {p} S {q} |-A {p} S {q} CSE 6341, part 3 11

Axiomatic Semantics of IMP A. S. : A collection of "axioms" and "rules of inference" ("rules") specified using the same {p} S {q} notation A 0: skip axiom { p } skip { p } where p is any assertion Using this, can derive: { (x = 1) (y = 2) } skip { (x = 1) (y = 2) } by taking p to be the assertion (x = 1) (y = 2) & using A 0 Cannot derive: { (x = 1) } skip { (x = 1) (y = 2) } which is good (why? ) Cannot derive: { (x = 1) (y = 2) } skip { (x = 1) } which is bad (why? ) CSE 6341, part 3 12

Axiomatic Semantics of IMP R 0: Rule of Consequence: { p } S { q' }, q' q ---------------{p}S{q} (p, q, q': any assertions: S: any stmt) Using R 0 (and A 0) we can derive: { (x = 1) (y = 2) } skip { (x = 1) } Another form of rule of consequence: p p', { p' } S { q }, ---------------{p}S{q} (p, q, p': any assertions: S: any stmt) Consider other forms of consequence (including inconsis. ones? CSE 6341, part 3 13

Axiomatic Semantics of IMP (contd) A 1. Assignment axiom: { pxe } x : = e { p } where p is any assertion; pxe is obtained from p by (simultaneously) replacing all occurrences of x in p by e. (Note: pxe p[x/e] ) We can derive: { x+1 = y+z } x : = x+1 { x = y+z } (take p to be x = y+z ) { y+z = y+z } x : = y+z { x = y+z } (take p to be x = y+z ) 14 CSE 6341, part 3 { y+z 0 } x : = y+z { x 0 } (take p to be x 0 ) Operational Justification: If we want the state following the asgnmnt to satisfy p, the state before it should satisfy the same assertion - except with the value of e satisfying the conditions expected of the value of x

Axiomatic Semantics of IMP (contd. ) Caution: In axiomatic derivations, you are only allowed to use the axioms and rules of the system; no appeals to operational intuitions. If you make such appeals, you have an operational argument, not an axiomatic derivation Summary: The axiomatic semantics of a language consists of: An axiom for each atomic statement A rule (of inference) for each compound stmt + Logical rules CSE 6341, part 3 15

Axiomatic Semantics of IMP (contd) R 1: Sequential Composition: { p } S 1 { q' }, { q' } S 2 { q } --------------------{ p } S 1; S 2 { q } (p, q', q: any assertions; S 1, S 2: any stmts. ) Using this, skip axiom, & assignment axiom, we can derive: {x+1 = y+z} skip; x : = x+1 {x = y+z} Operational Justification: If state before S 1 starts execution satisfies p, then, { p } S 1 { q' } guarantees that the state when S 1 finishes will satisfy q'; hence { q' } S 2 { q } guarantees the state when S 2 finishes will satisfy q; hence conclusion of rule follows given these two results. Caution: In (axiomatic) derivations, no appeals to operational intuitions! CSE 6341, part 3 16

Axiomatic Semantics of IMP (contd) write e out : = out ^ e A 2. write axiom: { p[out / out^e] } write e { p } (where p is any assertion) read x ( x : = head(in); in : = tail(in) ) { (p[in/tail(in)])[x/head(in)] } x : = head(in); { p[in/tail(in)] } in : = tail(in) {p} A 3. read axiom: { (p[in/tail(in)])[x/head(in)] } read x { p } (p: any assertion) CSE 6341, part 3 17

Axiomatic Semantics of IMP (contd) Problem: Derive the following result (axiomatically): { (in = <3, 4>) (out = <>) } read x; read y; write (x+y); { out = <7> } Derivation (or "proof") outline: { (in = <3, 4>) (out = <>) } (rule of cons. ) { out^(head(in) + head(tail(in)) = <7> } (read axiom) read x; { out^(x + head(in)) = <7> } (read axiom) read y; { out^(x + y) = <7> } (write axiom) write (x+y); { out = <7> } CSE 6341, part 3 18

Axiomatic Semantics of IMP (contd) R 2: If-then-else: { p b} S 1 { q }, { p b} S 2 { q } -------------------------{ p } if b then S 1 else S 2 { q } Operational Justification: Suppose we start in a state P. There are two ways to proceed: if b, execute S 1; if not, execute S 2. In either case, the hypothesis (assuming they are valid) guarantee that the final state will satisfy q. Hence conclusion follows. Caution: In (axiomatic) derivations, no appeals to operational intuitions! CSE 6341, part 3 19

Axiomatic Semantics of IMP (contd) Problem: Derive the following result (axiomatically): { y = 1} if (y = 1) then x : = 1 else x : = 2 {x=1} 1. { (y = 1)} x : = 1 { x = 1} (by Ass. ax, rule of conseq. ) 2. { 2 = 1 } x : = 2 { x = 1} (by Ass. ax, rule of conseq. ) 3. { (y = 1) (y 1) } x : = 2 { x = 1} (by (2), rule of conseq. ) 4. { y = 1} if (y = 1) then x : = 1 else x : = 2 { x = 1 } (by (1), (3), and if-then-else rule) Derive: { true} if (y = 1) then x : = 1 else x : = 2 { (x = 1) (x = 2) } { true} if (y = 1) then. . . { [(y=1) (x 1)] [(y 1) (x = 2) } CSE 6341, =part 3 20

Axiomatic Semantics of IMP (contd) R 3: while rule: p q, { q b } S { q }, (q b) r ---------------------------{ p } while b do S { r } The following rule, given rule of conseq. , is equivalent: { q b } S { q }, ---------------------------{ q } while b do S { q b } I. e. : Any result derivable using R 3 is derivable using above Operational justification: . . . R 3 is complete. . . somewhat surprising: we can always find an appropriate loop invariant CSE 6341, part 3 21

Problem: Derive the following result (axiomatically): {(x 0) (y 0)} q : = 0; r : = x; while ((r-y) 0) do q : = q+ 1; r : = r - x; end { (x = q*y + r) (0 r y)} Take loop invariant p to be: p [(x = q*y + r) (0 r) (y 0)] Derivation outline: Key step 1: { p (r-y) 0} q: =q+1; r: =r-y {p} {(x 0) (y 0)} (by ass. ax, seq. comp, conseq. ) q : = 0; r : = x; {(x 0) (y 0) (q=0) (r=x)} {p} Key step 2: [p ((r-y) 0)} [(x = q*y + r) (0 r y) while. . . (by math logic/oracle) {p ((r-y) 0)} { (x = q*y + r) (0 r y)} CSE 6341, part 3 22

Derive: {in = <1, 2, 3, . . . , 100> out = <> } read x; while (x 100) do write x; read x; end { out = <1, 2, . . . , 99>} Take loop invariant p to be: p [out^x^in = <1, 2, . . . , 100>] Derivation outline: {in = <1, 2, 3, . . . , 100> out = <> } read x; {(x=1) (in = <2, 3, . . . , 100>) (out = <>) } {out^x^in = <1, 2, . . . , 100>} while (x 100) do write x; read x; end {(out^x^in = <1, 2, . . . , 100>) (x = 100)} { out = <1, 2, . . . , 99>} CSE 6341, part 3 23

Derive: {in = <1, 2, 3, . . . , 100> out = <> } s : = 0; read x; while (x 100) do write s : = s+x; read x; end { s = k=0, . . 99 k} Take loop invariant p to be: [(#in=100 -x) k. [(0 k #in) (in[k]=x+k)] (1 x 100) (s = k=0, . . (x-1) k)] A more intuitive loop invariant: [(in = <x+1, . . . , 100> (1 x 100) (s = k=0, . . (x-1) k)] Key step: {p (x 100)} s : = s+x; read x; {p} Note: (head(in)=x+1) [implied by p] is important in showing that CSE 6341, part 3 24 (p (x 100)) implies p' [obtained by taking p back]

(In)Completeness R 3: while rule: p q, { q b } S { q }, (q b) r ---------------------------{ p } while b do S { r } A simpler rule: p q, { q } S { q }, (q b) r ---------------------------{ p } while b do S { r } Using this rule, we can derive: { x=0 } while (x 10) do x : = x+1 { x = 10} Take p to be (x=0) and q to be true CSE 6341, part 3 25

(In)Completeness (contd. ) The rule is incomplete: p q, { q } S { q }, (q b) r ---------------------------{ p } while b do S { r } Cannot derive: { x=0 y=0 } while (x 0) do y : = y+1 { x=0 y=0 } Proof: Suppose we could. Then there must exist q such that: a. (x=0 y=0) q b. {q} y : = y+1 {q} c. (q x=0) (x=0 y=0) Then <x=0, y=0, z=0> Q [by (a)] Hence <x=0, y=1, z=0> Q [by (b)] Hence <x=0, y=1, z=0> Q (x=0) [why? ] But <x=0, y=1, z=0> is not in (x=0 y=0) Hence such a q cannot exist! CSE 6341, part 3 26

Consistency/Completeness How do you show a system A is consistent and/or complete (with respect to a model M)? Generally tedious task. Special case: If we are told that A' is consistent/complete and A is obtained from A' by making some changes to some rules of A', we may be able to use the following approach: Completeness: Show that all results derivable in A' are also derivable in A. Then completeness of A' implies completeness of A (with respect to same model). Consistency: Show that all results derivable in A are also derivable in A'. Then consistency of A' implies consistency of A (with respect to same model). CSE 6341, part 3 27

Axiomatic Semantics of IMP (contd) Suppose we change the if-then-else rule: { p b} S 1 { q }, { p b} S 2 { q } -------------------------{ p } if b then S 1 else S 2 { q } To: { p b} S 1 { q b}, { p b} S 2 { q b } ------------------------------{ p } if b then S 1 else S 2 { q } The resulting system will be consistent: show that every result derivable in the new system is derivable in the original system Completeness? CSE 6341, part 3 28

Total Correctness How do we derive: { in = <> } read x {false} ? (1) We can't! A better axiom for read: (p in <>) (q[in/tail(in)])[x/head(in)] -------------------------{ p } read x { q } With this axiom, we can derive (1). Also suggests total correctness axiom for read : p [ in <> (q[in/tail(in)])[x/head(in)] ] --------------------------<p | read x | q> CSE 6341, part 3 29

Total Correctness (contd. ) Similar considerations for assignment: { (x=0) (y=3) } z : = y/x {false} ? (1) We can't! A better axiom: (p D(e)) (q[x/e] -------------------------{ p } x : = e { q } With this axiom, we can derive (1). Also suggests total correctness axiom: p [D(e) q[x/e] ] --------------------------<p | x : = e | q> CSE 6341, part 3 30

Total Correctness (contd. ) Total correctness rule for while: (p b) (f > 0) <p b f=k | S | p (f k) > -------------------------< p | while b do S | p b > a. Why does f have to be an integer function of the state? b. What if b is not well defined? c. What would happen if we change "<. . . |. . >" in the second line to "{. . . }. . {. . }"? The other rules are essentially the same as the corresponding partial correctness rules: <p | S 1 | q 1>, <q 1 | S 2 | q> -------------------<p | S 1; S 2| q> CSE 6341, part 3 31

Total Correctness (contd. ) Derive: < s=0 x=0 | while x 10 do x: =x+1; s: =s+x; end | s = 0 + 1 + 2 + 3 +. . . + 10 > Loop invariant: p (0 x 10 s = n=0. . x n ) Progress function (also called: "progress metric", "convergence function" etc. ): f(x, s) (10 x) Check: (p (x 10)) (f 0) : easy Derive: <p (x 10) (f=k) | x: =x+1; s: =s+x | p (f k) > : exercise Hence original result follows from rule for loops CSE 6341, part 3 32

Non-determinism Guarded commands: n Selection: [b 1 S 1 | b 2 S 2 |. . . | bn Sn ] To execute: choose any bi that evaluates to true and execute corresponding Si; if all bi are false, error e. g. : [ x y z : = x | y x z : = y ] : sets z to larger of x, y n Repetition: *[b 1 S 1 | b 2 S 2 |. . . | bn Sn ] To execute: choose any bi that evaluates to true and execute corresponding Si. Repeat until, after some no. of iterations all bi evaluate to false; at that point, stop. Loop may not terminate, or may terminate in 0 iterations e. g. : *[ x 1 x 2 exch(x 1, x 2) | x 2 x 3 exch(x 2, x 3) | x 3 x 4 exch(x 3, x 4) ] : sorts [x 1, x 2, x 3, x 4] CSE 6341, part 3 33

Axiomatics of non-determinism Selection: { p b 1 } S 1 { q }, { p b 2 } S 2 { q }, . . . , { p bn } Sn { q } -------------------------------------{ p } [b 1 S 1 | b 2 S 2 |. . . | bn Sn ] { q } Repetition: { p b 1 } S 1 { p }, { p b 2 } S 2 { p }, . . . , { p bn } Sn { p } -------------------------------------{ p } [b 1 S 1 |. . . | bn Sn ] { p b 1 b 2. . . bn} In selection rule, what if none of the bi's evaluates to true? Total correctness rules? CSE 6341, part 3 34